Enter Linux
It is likely that the Strategic Defence and Security Review, to be published next week, will prioritize cyber security. So a lot will be said and written about “cyberwar” this week. Here are a couple of things to keep in mind and to watch for.
Last week already brought a major event in the debate about internet and information security. This previous Tuesday, Iain Lobban, the head of the GCHQ, the British equivalent to the American NSA, gave a noteworthy speech at the International Institute for Strategic Studies, across the road from King’s. The speech is truly remarkable, although it doesn’t say anything really new. Not just because he gave it at all — a rare step for the secretive agency with the doughnut-shaped home in Cheltenham. The GCHQ’s Lobban said a few prudent things, some hidden between the lines, which in my view were glossed over in most of the reporting and commentary on the widely covered speech.
Start with breadth. The cyberproblem is an extraordinary wide and intricate one. “Cyber” encompasses, for instance, more and more online government services (read: steadily increasing vulnerability); critical national infrastructure, publicly or privately run; online crime in all its facets; espionage (both industrial and governmental), and such things as the “proper norms of behaviour for responsible states”. The problem, in Lobban’s analysis, “goes to the heart of our economic well-being and national interest.” This is an important insight. But a lot of tricky issues arise if you combine two things: the breadth of the cyber challenge, and the fact that this comes from GCHQ. And they’re all in the speech.
One is that partnerships of a new kind are needed to deal with cyber threats and risks. International partnerships, with like-minded countries that need to establish and maintain appropriate norms of behavior in crisis situations — and intersectoral partnerships, between government agencies and industry, especially the high-tech sector.
Another one is opportunity. One of the most remarkable elements of Lobban’s speech was ignored by all comments I read: “getting Cyber right enables the UK’s continuing economic prosperity” (his emphasis). 21st century knowledge societies thrive on secured intellectual property rights, creative industries, the high-tech sector, well-functioning financial services, and save commerce. All of which is increasingly online. This is where GCHQ’s ambitions take off: it wants to help make the UK’s digital infrastructure “intrinsically resilient in the face of Cyber threats,” thereby giving the country a “competitive advantage” in the global economy. The cyber-challenge is not just a threat, it is also an economic and political opportunity. Such thinking is in line with the Digital Britain report and the UK’s Cyber Security Strategy (pdf). But now the argument is coming from the head of Britain’s most secretive agency.
So what does all this mean in concrete terms? Well, there are a couple of things that come to mind.
First, mind your metaphors. It is noteworthy that Lobban didn’t use the words “war” or “cyberwar” a single time, nor any other battlefield analogies. This is how it should be. Writing about digital trenches, digital Pearl Harbors and the like, should be corny and trite by now. Yet somehow these analogies don’t seem to lose their appeal. But they only create confusion, increase fear, and make some former pilots think they can now “fly” in cyberspace. Even Lobban could not entirely resist. In what is perhaps the most confused part of the speech, the spy chief said that “it may be possible to use military Cyber capabilities for deterrent effect.” Sure, cyber deterrence is not to be compared with nuclear deterrence or mutually assured destruction. So, well, look into the deterrence debate in criminology: “unless threat and fear are stressed, deterrence is a hodgepodge notion,” to quote Jack Gibbs, an influential author in criminology. But — if the GCHQ indeed is talking about deterring not conventional foes but cyber attackers — how do we want to threaten and frighten somebody in cyberspace if merely identifying him “is very, very hard,” as Lobban acknowledged. The issue is known as the attribution problem. Taking military comparisons online also is very, very hard, and should be done with great care. Which leads me to point two.
Don’t bet on NATO. Cyberspace, naturally, has been of high interest for NATO. As other organizations in search for new missions that could remove doubts about its relevance — the U.S. Air Force and its fixation on cyberspace come to mind — some in the Alliance seem to see cyberspace as a life-saving opportunity. Anders Fogh Rasmussen, the Alliance’s secretary general, reportedly pushes the envelope on cyber-defence within the Atlantic Alliance. But Rasmussen’s up against three major problems: competition (was it Britain’s “competitive advantage” or NATO’s?), scope, and secrecy. That brings us to point three and four.
Specialize with care. Because the cyber challenge is such a broad one, as Lobban pointed out, there’s an inherent and well-known problem with “giving” the cyber mission to one specialized agency, such as, say, the U.S. Air Force or even the MoD, let alone to a military alliance. Giving the main responsibility to a military command or a small and newly established civilian office, such as the Office of Cyber Security, comes with its own set of risks. So the most important question to look for in next week’s review and accompanying statements is how the money will be allocated. £1bn is quite a lot of money in these times of belt-tightening, if The Register’s information proves correct. How to spend it best is an extraordinarily difficult question.
Four: mind these industry partnerships. Partnering with industry is highly desirable and necessary to make progress in cyber security, to help businesses protect themselves and their customers, to stiffen defenses against online attacks, to develop innovative methods, and to recruit the brightest minds. Perhaps industry partnerships are of an even higher order of importance than those with other countries in the framework of alliances. But these partnerships with the high-tech sector will be complicated to establish and to manage. And not just because there’s a looming culture clash between spies and high-tech entrepreneurs (figure Sergey Brin with his new Five Fingers in a wood-paneled Whitehall SCIF).
Finally, and most importantly: loosen up. GCHQ was formed in 1919 as the Government Code and Cypher School and is known for inventing public key cryptography, a tool to keep stuff secret. The fact that this organization is now at the forefront of cyber security is good and bad news at the same time. First off, it’s bad for partnerships, as intelligence cooperation even among allies can be highly problematic, especially when it comes to system vulnerabilities and questions of innovative methods and tactics that bring a “competitive advantage.” Second off, governments, and their intelligence and defence establishments, are only beginning to understand the cyber phenomenon. So, naturally, they are insecure and chose secrecy over openness. Nobody, especially no intelligence agency, wants to be caught with its pants down, confused and vulnerable. But loosening up, contrary to GCHQ’s culture of secrecy, will do more good than harm, if done right. Why? Lobban gives us the reasons: One is competition. If the British government — or any other, for that matter — wants to persuade investors and firms to bet on the UK’s superior information security, they have to offer something, show off their savvy, be transparent. That is difficult to do in a classified way. The second is partnerships. To work with partners in industry as well as internationally, substance is needed, not just secrets. The third is academic research. GCHQ considers it “crucial” to have “work by academia to broaden our research base and establish the mechanisms that will develop a large body of genuine expertise in the UK” — needless to say, secrecy is an obstacle here. And finally, if you don’t want to be accused of just trying to secure your budget, more details and more concrete facts are helpful.
It all leads to a bigger, philosophical issue. Sometimes some level of secrecy is essential, of course. But “cyber” itself may offer some clues on how do deal with this dilemma: stuff that is developed as open-source often is better and more secure than competing products that are done “in cypher.”
